What’s Next in Progressing Cybersecurity Culture?

Tricia Griffith, CEO of Progressive, the
large insurance provider, said: “With the right people, culture, and values, you can
accomplish great things.”

Several excellent analogies can
be used to describe the global challenge we face in cyberspace. We can describe
it as modern piracy, given the history of piracy impacting so many people while
it was rampant, its criminal nature, and its use in proxy wars between the great
naval powers of the 17th and 18th centuries. It could be
thought of as similar to infectious disease, given how often software viruses
are proximate to fraud and sabotage, how widespread and destructive these
viruses are, and how they spread through contact. It can be considered akin to
unbridled marketplace competition as perhaps the emerging industrialists
envisioned their battlefield in the 18th and 19th
centuries. And, of course, it can be thought of more directly as outright war,
where skirmishes and battles are fought by and for nation-states, with catastrophic
collateral damage being inflicted on citizens the world over.

In each case, the common first
step in fighting back is to change the culture. Whether it’s to band
governments together to defeat a common enemy, create a public/private
cooperative, or develop a sense of civic duty through education and public
discourse, causing a culture change is often the first step in turning the
tide.

With that as the backdrop, let’s
think about how we’re doing in this culture change we know we need. ISACA and
the CMMI Institute tapped the power of their combined community to look at how we’re
doing at developing and adopting a cybersecurity culture. The 2018 ISACA/CMMI Culture of
Cybersecurity research
looks at more than 30 data points related to cyber culture, and with nearly
5,000 global respondents over small, medium and large organizations, there are
several revealing findings.

To make the shift we
need requires three distinct steps or phases. First, we need to create
awareness of the problem in a way that makes it real to the entire workforce.
It needs to be personal. People need to understand why it matters, not just to
their organization, but to them. Next, teach people basic self-defense. They
need to know what they should do to protect themselves. Then, finally, we need
to develop within the workforce a sense of unity of purpose and make real to
them the shared outcomes we want to achieve.

From the research, we
see that 87% of respondents believe that establishing a stronger cybersecurity
culture will improve profitability or viability. We also learn that almost 8 in
10 believe those without such a culture experience more breaches, and more than
7 in 10 think they would be more susceptible to phishing. I think this is great;
it means we are motivated to make the changes we need to the cyberculture we
have, and we believe it is essential to the organization, not the regulators,
that we do so.

Coming back to our three
steps, we also see from the research that fully 96% of respondents already have
or expect to have employee training in place by the end of next year. We can
assume, then, if you are reading this, you likely have a program in place. Most
importantly, the topic most often addressed is cyber risk awareness, cited by 8
in 10 respondents. Your task now is to make sure this awareness program establishes
the connection for the workforce of how cyber hygiene impacts them personally.

You’re not alone.
Barely 3 in 10 believe their workforce understands their role in cybersecurity
completely or very well. Conversely, around half believe they somewhat
understand their role, and almost 2 in 10 (19%) fall into the not at all and
minimal categories. I think we need to move a good many people from “somewhat”
to “very well” to create the momentum we need toward a sense of unity around
the outcomes we want. Three in 10 can’t well create a draft for their
teammates, but perhaps 6 or 7 in 10 can. Clearly this is important, as 41% of
respondents agree that the lack of employee buy-in or understanding is the most
critical inhibitor for achieving the desired cybersecurity culture.

Of course, measuring
our progress is essential. First, make the tweaks to your program to make it
personal to all workers. Then, add regular assessments to gauge how the
workforce is responding, a step that most organizations are currently missing.
Moving the bar on this metric will significantly improve the effectiveness of
your cybersecurity awareness program. Engage with the workforce, measure
phishing click-throughs, reward successful outcomes, and make sure you have
consistent executive sponsorship. If executives can motivate the workforce to
improve product quality and increase sales, they can certainly accomplish the
great things that Ms. Griffith believes a great culture can achieve by driving
a change in the cybersecurity culture.

Bill Bonney, CISA

Bill
Bonney is a security
evangelist, author and consultant. Most recently, Bill was Vice President of
Product Marketing and Chief Strategist at FHOOSH, a maker of high-speed
encryption software. Prior to FHOOSH, Bill held executive management roles at the
financial services firms Inuit (maker of TurboTax and QuickBooks) and FICO (of
the famed “FICO Score”) and was Vice President of Product Marketing and a
Principal Consulting Analyst at TechVision Research. Bill holds
multiple patents in data protection, access and classification, and is a member
of the Board of Advisors for CyberTECH, a San Diego incubator, and in on the
board of directors for the San Diego CISO Roundtable, a professional group focused
on building relationships and fostering collaboration in information security
management. Bill is a highly regarded speaker and panelist addressing
technology and security concerns. He holds a Bachelor of Science degree in
Computer Science and Applied Mathematics from Albany University.